Last updated: 2025-06-24

AWS IAM Requirements

To connect ServerSage with your AWS environment, certain IAM configurations are required to enable Systems Manager (SSM) functionality and allow secure communication with your target servers.

Create AWS Account

AWS Account

If you already have an AWS account, you can skip this step.

ServerSage currently uses AWS Systems Manager (SSM) to manage and communicate with your target servers. Therefore, you’ll need an active AWS account.

👉 Create an AWS account

Create IAM User with Required Permissions

IAM User

If you already have an IAM user with the required permissions, you can skip this step.
But we recommend creating a dedicated IAM user for ServerSage to ensure least-privilege access.

ServerSage requires an IAM user with specific permissions to interact with AWS Systems Manager and manage your infrastructure.

👉 Create an IAM user

Required Policies for the IAM User
- AdministratorAccess

AWS Access Key & Secret Access Key

After creating your IAM user, generate the Access Key ID and Secret Access Key.
These credentials are required to configure the AWS CLI and enable ServerSage to authenticate API requests.

👉 How to create and retrieve access keys

🔐 Keep these keys secure — they provide programmatic access to your AWS resources.

Configure AWS CLI with IAM User Credentials

Once you have your IAM user credentials, configure the AWS CLI to use them.

First make sure you have the AWS CLI installed on your local machine. If you haven't installed it yet, follow the AWS CLI installation guide.

Open a terminal and run the following command:

aws configure

You will be prompted to enter your Access Key ID, Secret Access Key, Default region name, and Default output format.
Make sure to enter the correct values as per your AWS account settings.

AWS Access Key ID [None]: <Your_Access_Key_ID>
AWS Secret Access Key [None]: <Your_Secret_Access_Key>
Default region name [None]: <Your_Default_Region>  # e.g., us-east-1
Default output format [None]: json

Create IAM Role with Required Permissions

To allow ServerSage to manage your AWS resources, you need to create an IAM role with the necessary permissions.
This role will be assumed by the ServerSage Bastion to perform actions on your behalf.

Recommendation

THIS METHOD NEED AWS CLI INSTALLED AND CONFIGURED.

We recommend for IAM role creation to use the create_iam_role.sh script provided by ServerSage.
This script automates the creation of a dedicated IAM user and role with the necessary permissions for ServerSage Bastion usage.

Create the IAM role using the provided script

📥 Download create_iam_role.sh
After downloading the script, you can run it to create the IAM role:

chmod +x create_iam_role.sh
./create_iam_role.sh

The script will prompt you to enter a user name and a role name, and it will create the IAM user and role with the required permissions.

Manually create the IAM role via the AWS Management Console

If you prefer to create the IAM role manually, follow these steps

👉 Create an IAM role

After creating the role, you will need to attach the required policies.

⚠️ You can use a custom policy setup later, but for the initial configuration we recommend follow required access to avoid permission errors.

Required Policies for the IAM Role
- AmazonSSMManagedInstanceCore

Attach trusted policy to the role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ssm.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
          "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}